Security Lapse Exposed New York Airport's Critical Servers For a Year (zdnet.com) 45
An anonymous reader quotes a report from ZDNet: A security lapse at a New York international airport left its server backups exposed on the open internet for almost a year, ZDNet has found. The internet-connected storage drive contained several backup images of servers used by Stewart International Airport, but neither the backup drive nor the disk images were password protected, allowing anyone to access their contents. Since April last year, the airport had been inadvertently leaking its own highly-sensitive files as a result of the drive's misconfiguration. Vickery, who also posted an analysis of his findings, said the drive "was, in essence, acting as a public web server" because the airport was backing up unprotected copies of its systems to a Buffalo-branded drive, installed by a contract third-party IT specialist. When contacted Thursday, the contractor dismissed the claims and would not comment further. Though the listing still appears on Shodan, the search engine for unprotected devices and databases, the drive has since been secured. The files contained eleven disk images, accounting for hundreds of gigabytes of files and folders, which when mounted included dozens of airport staff email accounts, sensitive human resources files, interoffice memos, payroll data, and what appears to be a large financial tracking database. Many of the files we reviewed include "confidential" internal airport documents, which contain schematics and details of other core infrastructure.
Re: (Score:2)
specialist should be removed from this bonehead's reference...
Or quoted:
Installed by a contract third-party IT "specialist"
Re: (Score:2)
This is short for "My cousin Vinnie's 13 year old son. He's a whiz at these things"
Re: (Score:3)
This is short for "My cousin Vinnie's 13 year old son. He's a whiz at these things"
Barron is really good at the cyber
Comment removed (Score:4, Insightful)
Re: (Score:2)
I can believe it was the client's idea. As an IT guy, I would have walked away, after explaining that I wasn't going to be party to people too cheap or too stupid to do their job correctly, and risk the safety of everyone that uses that airport.
Re: (Score:3)
No.
As an IT guy myself, I would have (and did -- now retired) talked to anyone who would listen, including managing partners, and insisted on implementing best practices.
Then I would send an email to the whomevers and let them reject my recommendations for the record.
Business makes the final call. but I always covered my ass and had evidence that installations were to their specs, despite having been warned.
If the install was something they'd never actually have to manage, I'd change the admin password to
Re: (Score:3)
I used to do the same. I don't any more. After being thrown under the bus for doing EXACTLY what the customer said, against my recommendations(documented no less), no thank you.
WHICH happens to be a great way to make your point even stronger. Telling a customer "no, I won't" gets them to think, perhaps a little. I've had a couple people ask me why I won't, and basically say, "When the shit hits the fan, I don't want to be involved, don't want to clean the mess up, and don't want to take the fall for anyone
Re: (Score:2)
"Good IT is expensive, bad IT is costly".
I like it.
Re: (Score:1)
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
Open internet? Why? (Score:2)
What is up with companies putting every machine they have on an open internet connection?
Once there used to be well considered decisions on what bits of the corporate infrastructure needed to be exposed at all.
Do they now hire just anybody who knows how to type a password by himself, and say "go for it! set up our security!".
Re: (Score:2)
My nephew is about to graduate from high school, and he's real interested in computer security... I think he's well qualified for that job of yours... don-cha-know?
Re: (Score:1)
Do they now hire just anybody who knows how to type a password by himself, and say "go for it! set up our security!".
This is what you get when a company views IT as strictly an expense that should be minimized, not an asset that keeps your shit working and secure.
"a Buffalo-branded drive" (Score:3)
Re: (Score:2)
Hanlon's Razor
Never attribute to malice that which can be explained by incompetence.
Re: (Score:1)
*Barely* an airport (Score:1)
Stewart is a relatively small airport They handle a relatively small number of commercial flights in a day. A minor number are international. It qualifies as an international airport by virtue of having customs and handling a few international flights, but at least this somewhere like Newark Liberty or JFK, it's an airport way out in the country in Orange County, an hour from NYC. Making a mistake like this at an airport this size, while in excusable, is not a shock.
Re: (Score:2)
And courtesy of the Bureau of Transportation, as of November 2016 they have only *eight* scheduled flights per day in *total* to any de
Re: (Score:2)
Stewart = ConAir departure point (Score:2, Informative)
I've been flown out of Stewart a couple of times. It's the departure point for New York area Federal prisoners bound for FTC Oklahoma City and other points. The US Marshals drive buses and vans from all over the area (MDC Brooklyn, MCC Manhattan, Danbury, Ft. Dix, etc.) every Tuesday and Thursday afternoon to Stewart to meet a white, unmarked JPATS jet (737 or MD-80). Prisoners are usually in paper jumpsuits, shackled ankles, wrists, and waist, and are patted down on the apron next to the jet.
Transfer ta
Really? (Score:2)